On Mon, Jun 20, 2005 at 09:52:20PM +0300, Wladimir Mutel wrote: > In our private LAN we have Windows server that initiates PPTP > connection with outside VPN server. tcp/1723 traffic is always > masqueraded very well, but when it comes to GRE, the ruleset > often loses outgoing GRE packet (does it translate it or not, I > don't know, but it does not create anything > related/established - when outside server tries to send GRE > packet first, our Linux router responds with ICMP: protocol 47 > unreachable). But this behaviour sometimes changes to desirable > one: in some way, GRE connection is established and > translated/masqueraded very well for the rest of time until > Windows reconnect or Linux reboot/ruleset reload. yes, that is totally conforming to what your ruleset looks like. if the first packet comes from your internal network, then a nat mapping is set up, and incoming response packets will be NATed accordingly. if the first packet comes from your remote pptp server, then your ruleset treats it like an incoming connection to a not-opened port and therefore sends it up the local network stack. Since no program has upened a socket for the gre protocol, the NAT machine responds with protocol unreachable. If you want to make it work, you have two options 1) to configure a DNAT rule for GRE, DNAT'ing all incoming GRE packets from the server to your internal PPTP client. 2) to configure your NAT box to silently DROP incoming GRE packets with state "NEW". This way you basically ignore the first packet(s) from server->client and wait for the client->server packet to set up the connection. > As I know, you work on PPTP masquerading module for iptables and > kernel 2.6. Could you please inform when it will be possible to > use it with kernel 2.6.12, or how could we masquerade (single) > PPTP connection with current 2.6.12 iptables feature set and get > more predictable behaviour from it than that random one I just > described. the scheduled date is no later than June 30. But you don't need a conntrack/nat helper if you only run one pptp session, just configure your nat correctly and it will work. > > Thank you in advance for your reply. -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
